Regional regulatory compliance trends: Strategies and implications
Extracted from a podcast by Tim White, Director of Product Management, Policy Compliance at Qualys, who talks about regulatory compliance trends that across a variety of different regions in the world, as well as strategies for dealing with them.
Compliance, you know, really started out as a thing in the US quite a while back. We had Sarbanes–Oxley, a variety of state privacy regulations that followed. We saw the growth of regulation of critical industry verticals, like the energy sector and healthcare sector with the implementation of NERC – the National Energy Reliability Council Regulations as well as HIPAA. These tended to be very general regulations at first. In additional aversions they’ve become a little more prescriptive. HIPAA is still very vague, but they’ve added some regulatory body initiatives around high trust to provide better detailed guidance from a technology perspective. We’ve seen the emergence from a variety of different standards to help organizations implement the high-level regulatory requirements, such as NIST and ISO to name a few, are fairly well adopted across the world. NIST in the US and ISO more so for regulations here in Europe. However, we see these emerging and being used across the globe as different organizations have different regulatory compliance needs and use different auditors.
We also have quite a few industry-led initiatives, like PCI. These have a lot more flexibility because of the fact that they don’t have to be adopted by governing bodies. It makes it very easy for them to make revisions and add additional provisions. And with PCI specifically, we’ve seen a lot of changes in the mandates as the financial industry realizes that more and more controls are required in order to protect personally identifying information for card holders.
In the US recently most of the growth and shake up has been in the federal space. We’ve seen thinks like US FDCC which is the desktop requirements for the US government, get replaced with USGSB in 2010. And then more recently, the president’s executive order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure was implemented in 2017, it just came out. Requiring NIST cybersecurity framework and the assessment of assets using DISA STIG standards.
In the EU we add Data Protection Act. GDPR expands on the scope of this quite significantly, making the definition of subject data much more broad as well as adding additional requirements and crossing the entire EU. GDPR requires organizations globally to properly track and protect their EU customer’s personal data or face penalties and fines.
On multiple fronts, they have to track and classify IT assets that contain the data and adopt overall data governments and security programs in order to comply with GDPR. Organizations that need to limit, to identify, classify and limit access to protected personal data and there’s a whole host of very specific requirements around the end and lifecycles of how, when and why and where data can be stored and transmitted.
UK has started the Information Commissioner’s Office or has the Information Commissioner’s Office which provides key guidance on implementing GDPR and they make a lot of recommendations on controls and strategies for protecting data privacy. The regulation itself is extremely general, so it’s going to take a lot of interpretation throughout the globe to decide exactly what needs to be put in place from an information security perspective.
France and Germany:
Of course, all of the countries and the regions, many of them have their own existing information security regulations. France has ANSSI – Implemented Essential Measures for Healthy Networks. And Germany has BSI-Grundschutz, which is a highly center-ground ISO 27001 and 27002 implementation. And we continue to see additional countries within the EU are going to be implementing their own localized regulations to enforce GDPR’s more general requirements. And of course, there’s additional information, security provisions that are maybe needed. The GDPR itself has specific countries, specific provisions that provide these individual countries a lot of leeway as well, and we expect that that will result in the emergence of additional government entities implementing specific regulations within their boundaries.
In the Middle East we’ve seen a lot less stringent requirements. NESA in the UAE introduces Information Assurance Standard that covers a variety of different areas of requirements for strategy and planning as risk management, security awareness and trade. It’s really a high-level general compliance. A regulation requiring people to basically implement a good security program, and then of course we have ADSIC – the Abu Dhabi Systems and Information Centre – Information Security Standard, they just recently introduced version 2.0 of that standard that’s intended to guide entities and business partners in areas requiring focus for applications of information security controls. The adherence to the controls standards is being rolled out across the Abu Dhabi government entities, which is the majority of the center for the requirements. However, there are general requirements for businesses and partners within the region to comply with this as well, which mostly affects a lot of the oil industry and energy sectors and things of that nature.
In India, there’s been a big trend in adoption of technology as part of the digital transformation of the country. We’ve seen a significant growth in the adoption of automated payment systems. In my last couple of trips to India it’s been very visible; over a one-year period, the change and the way that they accept payment. Their reform of their monetary system was a key driver for this and India’s central banking and monetary authority – the Reserve Bank of India, in response to this has implemented a new set of requirements that point out the, primarily because of the number frequency and impact of cybersecurity incidents on Indian banks and the amount of customers that exist in that country due to the population, they’ve seen a significant increase across the entire country. And like their global peers, they’re committed to maintaining customer trust and protecting financial assets and doing brand preservation. So, there’s a significant growth to adopt better cybersecurity requirements.
RBIs now requiring all the banks in the country to comply with these very prescriptive regulatory requirements. They define specific controls, adoption guidelines. They require the banks being immediate preparedness; they’re required to submit their risk analysis and control gaps to the board along with remediation timelines for prioritization and show positive improvements. So this regulation is actually quite impressive, the scope that they went through to push this down to their individual constituent banks.
We’re seeing this trend emerge where other industries within India are following suit. So there’s the IRDA which is the Insurance Industry’s data requirements that are being pushed out and expected to go live soon as well for the same exact reasons. We expect that at some point there’ll probably be a merging of many of these regulations into a more concise national standard, similar to what we’ve seen in Australia.
Australia actually has a fairly mature set of standards and requirements. The ISM – the Information System Manual which covers a variety of critical strategies and requirements for information systems within the country for the government as well as for businesses doing work there. And they’ve also put out a lot of variety of various directives, like the essential aid strategies for securing information systems. They have requirements around privacy and data protection. They have requirements around infrastructure protection and in a lot of areas where they don’t have requirements, they just generally require compliance with NIST and other globally-accepted standards, so it’s a fairly comprehensive approach that we’re seeing in that region.
Overall, information security issues, nation state activities, evolving threats are continuing to keep the focus on InfoSec at the regulatory level. We’re seeing, this is driving the creation of more and more regulations; we’re seeing a varying level of enforcement across these regulations. We think over time that that will kind of level out and we’ll see, more parallelism across the requirements in a lot of regional, especially in areas like the EU where they have a more broad governing body that’s putting out controls like GDPR.
We’ll see regulatory boards and governing bodies and commissions like the ISO providing more guidance on exactly what it means to be complaint with certain parts of the regulations. They’ll probably become a little bit more prescriptive in nature. It’s difficult for them to make the regulation itself more prescriptive because of the fact that the regulations are difficult to change and require a variety of international cooperation to put into place.
Source | helpnetsecurity